add tls variant

isabelatkinson · isabelatkinson · commit 78385052750d · 2025-12-02T09:41:10.000-07:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/runtime/stream.rs b/src/runtime/stream.rs
@@ -6,7 +6,10 @@ use std::{
     time::Duration,
 };
 
-use tokio::{io::AsyncWrite, net::TcpStream};
+use tokio::{
+    io::{AsyncRead, AsyncWrite},
+    net::TcpStream,
+};
 
 use crate::{
     error::{Error, ErrorKind, Result},
@@ -33,7 +36,7 @@ pub(crate) enum AsyncStream {
     Tcp(TcpStream),
 
     /// A TLS connection over TCP.
-    Tls(TlsStream),
+    Tls(TlsStream<TcpStream>),
 
     /// A Unix domain socket connection.
     #[cfg(unix)]
@@ -42,6 +45,10 @@ pub(crate) enum AsyncStream {
     /// A connection to a SOCKS5 proxy.
     #[cfg(feature = "socks5-proxy")]
     Socks5(fast_socks5::client::Socks5Stream<TcpStream>),
+
+    /// A TLS connection to a SOCKS5 proxy.
+    #[cfg(feature = "socks5-proxy")]
+    Socks5Tls(TlsStream<fast_socks5::client::Socks5Stream<TcpStream>>),
 }
 
 #[derive(Clone, Debug)]
@@ -54,8 +61,10 @@ pub(crate) struct Proxy {
 #[cfg(feature = "socks5-proxy")]
 impl Proxy {
     pub(crate) fn from_client_options(options: &crate::options::ClientOptions) -> Option<Self> {
+        static DEFAULT_SOCKS5_PROXY_PORT: u16 = 1080;
+
         let host = options.proxy_host.as_ref()?;
-        let port = options.proxy_port.unwrap_or(1080);
+        let port = options.proxy_port.unwrap_or(DEFAULT_SOCKS5_PROXY_PORT);
         let authentication = match (&options.proxy_username, &options.proxy_password) {
             (Some(username), Some(password)) => Some((username.clone(), password.clone())),
             // ClientOptions::validate will return an error if the username and password are not
@@ -70,37 +79,28 @@ impl Proxy {
 
     async fn connect(
         &self,
-        target_address: ServerAddress,
-        connect_timeout: Duration,
-    ) -> Result<AsyncStream> {
+        host: String,
+        port: Option<u16>,
+    ) -> Result<fast_socks5::client::Socks5Stream<TcpStream>> {
+        use crate::options::DEFAULT_PORT;
         use fast_socks5::{
             client::{Config, Socks5Stream},
             SocksError,
         };
 
-        let mut config = Config::default();
-        config.set_connect_timeout(connect_timeout.as_secs());
-
-        let ServerAddress::Tcp { host, port } = target_address else {
-            // this condition is checked in ClientOptions::validate
-            return Err(Error::internal(format!(
-                "attempted to connect to proxy server with non-TCP address"
-            )));
-        };
-        let port = port.unwrap_or(27107);
-
+        let port = port.unwrap_or(DEFAULT_PORT);
         let stream = if let Some((username, password)) = self.authentication.as_ref() {
             Socks5Stream::connect_with_password(
                 &self.address,
                 host,
                 port,
                 username.clone(),
                 password.clone(),
-                config,
+                Config::default(),
             )
             .await
         } else {
-            Socks5Stream::connect(&self.address, host, port, config).await
+            Socks5Stream::connect(&self.address, host, port, Config::default()).await
         }
         .map_err(|error| {
             if let SocksError::Io(io_error) = error {
@@ -111,7 +111,7 @@ impl Proxy {
                 }
             }
         })?;
-        Ok(AsyncStream::Socks5(stream))
+        Ok(stream)
     }
 }
 impl AsyncStream {
@@ -121,14 +121,21 @@ impl AsyncStream {
         connect_timeout: Duration,
         #[cfg(feature = "socks5-proxy")] proxy: Option<&Proxy>,
     ) -> Result<Self> {
-        #[cfg(feature = "socks5-proxy")]
-        if let Some(proxy) = proxy {
-            return proxy.connect(address, connect_timeout).await;
-        }
-
-        runtime::timeout(connect_timeout, async {
+        let connect = async {
             match &address {
-                ServerAddress::Tcp { host, .. } => {
+                #[allow(unused)] // port is unused when socks5-proxy is not enabled
+                ServerAddress::Tcp { host, port } => {
+                    #[cfg(feature = "socks5-proxy")]
+                    if let Some(proxy) = proxy {
+                        let inner = proxy.connect(host.clone(), port.clone()).await?;
+                        return match tls_cfg {
+                            Some(cfg) => {
+                                Ok(AsyncStream::Socks5Tls(tls_connect(host, inner, cfg).await?))
+                            }
+                            None => Ok(AsyncStream::Socks5(inner)),
+                        };
+                    }
+
                     let resolved: Vec<_> = runtime::resolve_address(&address).await?.collect();
                     if resolved.is_empty() {
                         return Err(ErrorKind::DnsResolve {
@@ -149,8 +156,9 @@ impl AsyncStream {
                     tokio::net::UnixStream::connect(path.as_path()).await?,
                 )),
             }
-        })
-        .await?
+        };
+
+        runtime::timeout(connect_timeout, connect).await?
     }
 }
 
@@ -247,22 +255,22 @@ fn interleave<T>(left: Vec<T>, right: Vec<T>) -> Vec<T> {
     out
 }
 
-impl tokio::io::AsyncRead for AsyncStream {
+impl AsyncRead for AsyncStream {
     fn poll_read(
         mut self: Pin<&mut Self>,
         cx: &mut Context<'_>,
         buf: &mut tokio::io::ReadBuf<'_>,
     ) -> Poll<std::io::Result<()>> {
         match self.deref_mut() {
             Self::Null => Poll::Ready(Ok(())),
-            Self::Tcp(ref mut inner) => tokio::io::AsyncRead::poll_read(Pin::new(inner), cx, buf),
-            Self::Tls(ref mut inner) => tokio::io::AsyncRead::poll_read(Pin::new(inner), cx, buf),
+            Self::Tcp(ref mut inner) => AsyncRead::poll_read(Pin::new(inner), cx, buf),
+            Self::Tls(ref mut inner) => AsyncRead::poll_read(Pin::new(inner), cx, buf),
             #[cfg(unix)]
-            Self::Unix(ref mut inner) => tokio::io::AsyncRead::poll_read(Pin::new(inner), cx, buf),
+            Self::Unix(ref mut inner) => AsyncRead::poll_read(Pin::new(inner), cx, buf),
             #[cfg(feature = "socks5-proxy")]
-            Self::Socks5(ref mut inner) => {
-                tokio::io::AsyncRead::poll_read(Pin::new(inner), cx, buf)
-            }
+            Self::Socks5(ref mut inner) => AsyncRead::poll_read(Pin::new(inner), cx, buf),
+            #[cfg(feature = "socks5-proxy")]
+            Self::Socks5Tls(ref mut inner) => AsyncRead::poll_read(Pin::new(inner), cx, buf),
         }
     }
 }
@@ -281,6 +289,8 @@ impl AsyncWrite for AsyncStream {
             Self::Unix(ref mut inner) => AsyncWrite::poll_write(Pin::new(inner), cx, buf),
             #[cfg(feature = "socks5-proxy")]
             Self::Socks5(ref mut inner) => AsyncWrite::poll_write(Pin::new(inner), cx, buf),
+            #[cfg(feature = "socks5-proxy")]
+            Self::Socks5Tls(ref mut inner) => AsyncWrite::poll_write(Pin::new(inner), cx, buf),
         }
     }
 
@@ -293,6 +303,8 @@ impl AsyncWrite for AsyncStream {
             Self::Unix(ref mut inner) => AsyncWrite::poll_flush(Pin::new(inner), cx),
             #[cfg(feature = "socks5-proxy")]
             Self::Socks5(ref mut inner) => AsyncWrite::poll_flush(Pin::new(inner), cx),
+            #[cfg(feature = "socks5-proxy")]
+            Self::Socks5Tls(ref mut inner) => AsyncWrite::poll_flush(Pin::new(inner), cx),
         }
     }
 
@@ -305,6 +317,8 @@ impl AsyncWrite for AsyncStream {
             Self::Unix(ref mut inner) => Pin::new(inner).poll_shutdown(cx),
             #[cfg(feature = "socks5-proxy")]
             Self::Socks5(ref mut inner) => Pin::new(inner).poll_shutdown(cx),
+            #[cfg(feature = "socks5-proxy")]
+            Self::Socks5Tls(ref mut inner) => Pin::new(inner).poll_shutdown(cx),
         }
     }
 
@@ -321,6 +335,8 @@ impl AsyncWrite for AsyncStream {
             Self::Unix(ref mut inner) => Pin::new(inner).poll_write_vectored(cx, bufs),
             #[cfg(feature = "socks5-proxy")]
             Self::Socks5(ref mut inner) => Pin::new(inner).poll_write_vectored(cx, bufs),
+            #[cfg(feature = "socks5-proxy")]
+            Self::Socks5Tls(ref mut inner) => Pin::new(inner).poll_write_vectored(cx, bufs),
         }
     }
 
@@ -333,6 +349,8 @@ impl AsyncWrite for AsyncStream {
             Self::Unix(ref inner) => inner.is_write_vectored(),
             #[cfg(feature = "socks5-proxy")]
             Self::Socks5(ref inner) => inner.is_write_vectored(),
+            #[cfg(feature = "socks5-proxy")]
+            Self::Socks5Tls(ref inner) => inner.is_write_vectored(),
         }
     }
 }
diff --git a/src/runtime/tls_openssl.rs b/src/runtime/tls_openssl.rs
@@ -4,15 +4,15 @@ use openssl::{
     error::ErrorStack,
     ssl::{SslConnector, SslFiletype, SslMethod, SslVerifyMode},
 };
-use tokio::net::TcpStream;
+use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_openssl::SslStream;
 
 use crate::{
     client::options::TlsOptions,
     error::{Error, ErrorKind, Result},
 };
 
-pub(super) type TlsStream = SslStream<TcpStream>;
+pub(super) type TlsStream<T> = SslStream<T>;
 
 /// Configuration required to use TLS. Creating this is expensive, so its best to cache this value
 /// and reuse it for multiple connections.
@@ -40,11 +40,11 @@ impl TlsConfig {
     }
 }
 
-pub(super) async fn tls_connect(
+pub(super) async fn tls_connect<T: AsyncRead + AsyncWrite + Unpin>(
     host: &str,
-    tcp_stream: TcpStream,
+    tcp_stream: T,
     cfg: &TlsConfig,
-) -> Result<TlsStream> {
+) -> Result<TlsStream<T>> {
     let mut stream = make_ssl_stream(host, tcp_stream, cfg).map_err(|err| {
         Error::from(ErrorKind::InvalidTlsConfig {
             message: err.to_string(),
@@ -120,11 +120,11 @@ fn make_openssl_connector(cfg: TlsOptions) -> Result<SslConnector> {
     Ok(builder.build())
 }
 
-fn make_ssl_stream(
+fn make_ssl_stream<T: AsyncRead + AsyncWrite>(
     host: &str,
-    tcp_stream: TcpStream,
+    tcp_stream: T,
     cfg: &TlsConfig,
-) -> std::result::Result<SslStream<TcpStream>, ErrorStack> {
+) -> std::result::Result<SslStream<T>, ErrorStack> {
     let ssl = cfg
         .connector
         .configure()?
diff --git a/src/runtime/tls_rustls.rs b/src/runtime/tls_rustls.rs
@@ -12,7 +12,7 @@ use rustls::{
     Error as TlsError,
     RootCertStore,
 };
-use tokio::net::TcpStream;
+use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::TlsConnector;
 use webpki_roots::TLS_SERVER_ROOTS;
 
@@ -21,7 +21,7 @@ use crate::{
     error::{ErrorKind, Result},
 };
 
-pub(super) type TlsStream = tokio_rustls::client::TlsStream<TcpStream>;
+pub(super) type TlsStream<T> = tokio_rustls::client::TlsStream<T>;
 
 /// Configuration required to use TLS. Creating this is expensive, so its best to cache this value
 /// and reuse it for multiple connections.
@@ -42,11 +42,11 @@ impl TlsConfig {
     }
 }
 
-pub(super) async fn tls_connect(
+pub(super) async fn tls_connect<T: AsyncRead + AsyncWrite + Unpin>(
     host: &str,
-    tcp_stream: TcpStream,
+    tcp_stream: T,
     cfg: &TlsConfig,
-) -> Result<TlsStream> {
+) -> Result<TlsStream<T>> {
     let name = ServerName::try_from(host)
         .map_err(|e| ErrorKind::DnsResolve {
             message: format!("could not resolve {host:?}: {e}"),
